In a networked computing environment, a web application may use a trusted security token service to handle identification and authentication of client users, and to issue security tokens comprising identity claims required by the web application.
When a requesting client user is successfully authenticated, the security token service provides the client user with a ticket-granting-ticket (TGT) that is encrypted with a private key owned by the security token service, and can be used to obtain individual service tokens for sessions with services on a network without the user having to enter a password each time the user wishes to connect with a service. TGTs are often persisted on the user's computing device. If a TGT is compromised, an attacker can masquerade as the user until the TGT expires. Oftentimes, TGTs are relatively long-lived to provide users with a good user experience, which makes TGTs a prime target for an attacker.